Secret CSO: Mandy Andress, Elastic

What advice would you give to aspiring security leaders? “Don’t focus on perfect security…”


Name: Mandy Andress

Organisation: Elastic

Job title: CSO

Date started current role: May 2018

Location: Massachusetts, USA

Elastic Chief Information Security Officer Mandy Andress, CISSP, is a published author and former lead of the information security function at MassMutual with a long career in information risk and security. She holds a JD, Master’s in management information systems, and BBA in accounting.

What was your first job? My first job out of university was with Deloitte as an IT Systems auditor.

How did you get involved in cybersecurity? As with many others, by chance. Computers and technology had always been a hobby. I had a professor, Professor Wolf, that pulled me aside after our systems auditing class one day and told me I should look into systems auditing and security as a career. I listened and it set me on a completely different path than I had originally planned.

What was your education? Do you hold any certifications? What are they? I enjoy school and am a bit over educated as a result. My undergraduate degree is in Accounting and I have my CPA license. My Masters degree is in Management Information Systems (MIS). I also have a Law Degree and have passed the Bar to be certified to practice law. I also hold my CISSP certification for information security.

Explain your career path. Did you take any detours? If so, discuss. To a large extent, I feel my entire career is a detour. I had originally planned to be an accountant. Everything else is a detour. I listen to advice I receive and take advantage of challenging opportunities that come my way. I also listen to myself and the things that really interest me over time, which is what took me on my path through law school.

Was there anyone who has inspired or mentored you in your career? There are way too many to name. I look for opportunities to learn and grow in everything I do. As a result, I learn from everyone around me. I learn from my managers, I learn from my team, and I learn from my peers.

What do you feel is the most important aspect of your job? Helping my team to grow their skills and be the best they can possibly be is what is most important to me. 

What metrics or KPIs do you use to measure security effectiveness? This is something I would love to give a very direct answer to, but I have learned that doesn’t work. You need to understand your business and what is important, crafting KPIs that help measure outcomes and behaviours your organisation needs. This is different for every company and why it is such a challenging topic. We cannot always take a one size (metric) fits all approach.

Is the security skills shortage affecting your organisation? What roles or skills are you finding the most difficult to fill? Coming to Elastic with its distributed workforce approach, I was very excited to have 30+ countries at my disposal for hiring. The challenge lies in finding folks that have a passion and a true understanding for security. 

Finding those with critical thinking skills, a true understanding of underlying security objectives and the rationale for them is integral. The ability to be more creative and out of the box when defining solutions is where the security skills shortage lives to me.

Cybersecurity is constantly changing – how do you keep learning? My current focus has been on learning things outside of the specific realm of security and understanding how they might apply to InfoSec. We can’t be so insular and ignore everything else going on around us. I rely heavily on my team to help keep me educated on the more operational aspects of InfoSec these days and I focus my time on looking for ways we can approach security problems differently.

What conferences are on your must-attend list? I find smaller conferences and events to be the most useful for me these days. BSides events are great for security content. FAIRCon for quantified risk management is also on my list. I generally focus on more 1:1 interactions with others in the community to understand their challenges, how they are approaching them, and to share ideas.

What is the best current trend in cybersecurity? The worst? The best for me is the growing use of quantified risk management approaches. Security operates in the gray, and quantified risk management approaches, like FAIR, provide a means of putting structure and explanation around the gradients of gray versus trying to force things into a traditional, more definitive black and white picture. There are lots of variables and business implications to take into consideration in any security program and I feel we are now finally starting to talk about them all together as part of a holistic risk management approach.

What's the best career advice you ever received? The best advice I ever received was to be the person to raise their hand for the hard tasks no one else wants to do. It will be challenging and you will not always succeed, but you will learn an awful lot and will be better for it in the long run.

What advice would you give to aspiring security leaders? Don’t focus on perfect security - focus on what your organisation needs and what is best for customers and users; an application of the traditional adage perfect is the enemy of good.

What has been your greatest career achievement? Watching team members that I have mentored and managed for part of their career grow into professionals with skills and experiences they never thought they could accomplish. 

Looking back with 20:20 hindsight, what would you have done differently? Focus on people more. Early in my career I thought process and technology could solve anything. I was wrong and missed the biggest area of impact for too long - people.

What is your favourite quote?I like many by Abraham Lincoln. My current favorite is “I don’t like that man. I must get to know him better.”

What are you reading now? I am currently reading Biased by Dr. Jennifer Eberhardt.

In my spare time, I like to… I have three kids, so my spare time is spent being a chauffeur.

Most people don't know that I… have an inordinate amount of pop culture trivia in my brain. I was always wanted for the “useless trivia” topic in trivia games.

Ask me to do anything but… ...the same thing over and over again. I get bored very easily, which then gets me into trouble. I have never been any good at repetitive operational roles.